Control exist certificated in openvidu-proxy

2020-03-27 12:53:04 +01:00 · 2020-03-27 12:53:04 +01:00 · 29fcbd7386
parent 532d3ba2a7
commit 29fcbd7386
4 changed files with 138 additions and 13 deletions
--- a/openvidu-server/docker/openvidu-proxy/Dockerfile
+++ b/openvidu-server/docker/openvidu-proxy/Dockerfile
@ -2,7 +2,7 @@ FROM nginx:1.17.9

 # Install certbot
 RUN apt-get update && \
-    apt-get install -y python python-dev libffi6 libffi-dev libssl-dev curl build-essential procps && \
+    apt-get install -y python python-dev libffi6 libffi-dev libssl-dev curl build-essential procps cron && \
    curl -L 'https://bootstrap.pypa.io/get-pip.py' | python && \
    pip install -U cffi certbot && \
    mkdir -p /var/www/certbot && \
@ -13,6 +13,7 @@ RUN apt-get update && \

 # Default nginx conf
 COPY ./default.conf /etc/nginx/conf.d/default.conf
+COPY ./default_nginx_conf /default_nginx_conf

 # Entrypoint
 COPY ./entrypoint.sh /usr/local/bin
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/default-app.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/default-app.conf
@ -0,0 +1,66 @@
+upstream yourapp {
+    server localhost:5442;
+}
+
+upstream openviduserver {
+    server localhost:5443;
+}
+
+server {
+    listen 443 ssl;
+    server_name {domain_name};
+
+    ssl_certificate         /etc/letsencrypt/live/{domain_name}/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/{domain_name}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem;
+
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 5m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+    ssl_prefer_server_ciphers on;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_headers_hash_bucket_size 512;
+    proxy_redirect off;
+
+    # Websockets
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    # Your App
+    location / {
+        proxy_pass http://yourapp;
+    }
+
+    # Openvidu Server
+    location /api {
+        proxy_pass http://openviduserver;
+    }
+
+    location /openvidu {
+        proxy_pass http://openviduserver;
+    }
+
+    location /info {
+        proxy_pass http://openviduserver;
+    }
+
+    location /config {
+        proxy_pass http://openviduserver;
+    }
+
+    location /dashboard {
+        rewrite ^/dashboard/(.*)$ /$1 break;
+        proxy_pass http://openviduserver/;
+    }
+}
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/default.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/default.conf
@ -0,0 +1,12 @@
+server {
+    listen 80;
+    server_name {domain_name};
+    
+    location / {
+        return 301 https://$host$request_uri;
+    }    
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+}
--- a/openvidu-server/docker/openvidu-proxy/entrypoint.sh
+++ b/openvidu-server/docker/openvidu-proxy/entrypoint.sh
@ -8,35 +8,81 @@ echo "Domain name: ${DOMAIN_OR_PUBLIC_IP}"
 echo "Certificated: ${CERTIFICATE_TYPE}"
 echo "Letsencrypt Email: ${LETSENCRYPT_EMAIL}"

+if [ -z "${NGINX_CONF}" ]; then
+  NGINX_CONF=default
+fi
+
+echo "NGINX Conf: ${NGINX_CONF}"
+
 case ${CERTIFICATE_TYPE} in

  "selfsigned")
-    echo "Creating selfsigned..."
-  
+    echo "===Mode selfsigned==="
    DOMAIN_OR_PUBLIC_IP="openvidu"
-    mkdir -p /etc/letsencrypt/live/openvidu
-    openssl req -new -nodes -x509 \
-      -subj "/CN=openvidu" -days 365 \
-      -keyout /etc/letsencrypt/live/openvidu/privkey.pem -out /etc/letsencrypt/live/openvidu/fullchain.pem -extensions v3_ca
+
+    if [[ ! -f "/etc/letsencrypt/live/openvidu/privkey.pem" && ! -f "/etc/letsencrypt/live/openvidu/fullchain.pem" ]]; then
+      echo "Generating certificated..."
+      
+      rm -rf /etc/letsencrypt/live/*
+      mkdir -p /etc/letsencrypt/live/openvidu
+
+      openssl req -new -nodes -x509 \
+        -subj "/CN=openvidu" -days 365 \
+        -keyout /etc/letsencrypt/live/openvidu/privkey.pem -out /etc/letsencrypt/live/openvidu/fullchain.pem -extensions v3_ca
+    else
+      echo "The certificate already exists, using them..."
+    fi
    ;;

  "owncert")
-    echo "Using owncert..."
+    echo "===Mode owncert==="

-    mkdir -p /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}
-    cp /owncert/certificate.key /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem
-    cp /owncert/certificate.cert /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem
+    if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then
+      echo "Using owmcert..."
+
+      rm -rf /etc/letsencrypt/live/*
+      mkdir -p /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}
+      cp /owncert/certificate.key /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem
+      cp /owncert/certificate.cert /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem
+
+    else
+      echo "The certificate already exists, using them..."
+    fi
    ;;

  "letsencrypt")
-    echo "Requesting letsencrypt..."
+    echo "===Mode letsencrypt==="
+
+    # Auto renew cert
+    echo "0 12 * * * certbot renew >> /var/log/nginx/cron-letsencrypt.log" | crontab
+
+    if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then
+      echo "Requesting certificate..."

    certbot certonly -n --webroot -w /var/www/certbot -m ${LETSENCRYPT_EMAIL} --agree-tos -d ${DOMAIN_OR_PUBLIC_IP}
+    else
+      echo "The certificate already exists, using them..."
+    fi
    ;;
 esac

-[ -d "/nginx_conf" ] && rm /etc/nginx/conf.d/* && cp /nginx_conf/* /etc/nginx/conf.d
+# All permission certificated folder
+chmod -R 777 /etc/letsencrypt
+
+if [ "${NGINX_CONF}" == "custom" ]; then
+  rm /etc/nginx/conf.d/*
+  cp /custom_nginx_conf/* /etc/nginx/conf.d
+else
+  rm /etc/nginx/conf.d/*
+  cp /default_nginx_conf/* /etc/nginx/conf.d
+fi
+
 sed -i "s/{domain_name}/${DOMAIN_OR_PUBLIC_IP}/" /etc/nginx/conf.d/*

+# Restart nginx service
 service nginx restart
+
+# Init cron
+cron -f
+
 tail -f /var/log/nginx/*.log